Security & Trust in the Cloud - IIT School of Applied Technology

Ray TrygstadDirector of Information Technology,IIT School of Applied TechnologyAssociate Director, Information Technology & Management Degree Programs

Security & Trust in the Cloud

Cloud Computing Primer

► Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction

http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc

Cloud Computing Primer

►This cloud model promotes

availability and is composed of

■ Five essential characteristics

■ Three service models

■ Four deployment models


Cloud Five Essential Characteristics

►On-demand self-service

►Broad network access

►Resource pooling

►Rapid elasticity

►Measured Service


Cloud Three Service Models

►Software as a Service (SaaS)■ Use provider’s applications over a network

►Platform as a Service (PaaS)■ Deploy customer-created applications to a cloud

► Infrastructure as a Service (IaaS)■ Rent processing, storage, network capacity, and

other fundamental computing resources

■ Now often a key to disaster recovery


Cloud Four Deployment Models

► Private cloud

■ Enterprise owned or leased

► Community cloud

■ Shared infrastructure for specific community

► Public cloud

■ Sold to the public, mega-scale infrastructure

► Hybrid cloud■ Composed of two or more clouds


Cloud Landscape

Cloud Computing Often Leverages…

► Massive scale

► Homogeneity

► Virtualization

► Resilient computing

► Low cost software

► Geographic distribution

► Service orientation

► Advanced security technologieshttp://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc

9

Community

CloudPrivate

CloudPublic Cloud

Hybrid Clouds

Deployment

Models

Service

Models

Essential

Characteristics

Common

Characteristics

Software as a

Service (SaaS)

Platform as a

Service (PaaS)

Infrastructure as a

Service (IaaS)

Resource Pooling

Broad Network Access Rapid Elasticity

Measured Service

On Demand Self-Service

Low Cost Software

Virtualization Service Orientation

Advanced Security

Homogeneity

Massive Scale Resilient Computing

Geographic Distribution

The NIST Cloud Definition Framework

Multi-Tenancy

► Implies a need for

■ Policy-driven enforcement,

■ Segmentation

■ Isolation

■ Governance

■ Service levels

■ Chargeback/billing models

► For different consumer constituencies


Cloud Use in Enterprises

►Effective use requires

■ Very robust network connectivity

(i.e. honking big bandwidth )

■ Security

■ Guarantee of service

Security and guarantee of service at

some levels provided by Service Level

Agreements

Key Technology: Virtualization

What is Cloud Computing? Jimmy Lin; The iSchool, University of Maryland. Wednesday, September 3, 2008

Hardware

Operating System

App App App

Traditional Stack

Hardware

OS

App App App

Hypervisor

OS OS

Virtualized Stack

Cloud Reference Model

From Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 Prepared by the Cloud Security Alliance, December 2009

Presentation Modality

Presentation Platform

APIs

Applications

Data ContentMeta-data

Integration and middleware

APIs

Hardware

Facilities

Core Connectivity& Delivery

Abstraction

SaaS

Integration and middleware

APIs

Hardware

Facilities


Abstraction

PaaS

APIs

Hardware

Facilities


Abstraction

IaaS

Security is a Major Issue

2%

13%

17%

17%

25%

26%

34%

49%

51%

54%Security defects in the technology itself

Unauthorized access to or leak of our proprietary information

Unauthorized access to or leak of our customers’ information

Application/system performance

Business continuity/DR readiness of provider

Business viability of provider; risk company will fail

Vendor lock-in

Features and general maturity of technology

Unpredictable costs

Other

Cloud Computing Concerns

Note: Three responses allowed

Base: 310 respondents using, planning to use or considering using cloud computing

Data: InformationWeek Analytics 2010 Cloud GRC Survey of 518 business technology professionals, January 2010

Cloud Security Key Issues

► Some key issues:

■ Trust, multi-tenancy, encryption, compliance

■ Clouds are massively complex systems can be

reduced to simple primitives that are

replicated thousands of times and common

functional units

► Cloud security is a tractable problem

■ There are both advantages and challenges

Effectively and Securely Using the Cloud Computing Paradigm Peter Mell & Tim Grance; NIST, Information Technology Laboratory 10-7-2009

Cloud Security Advantages

► Shifting public data to a external cloud

reduces the exposure of the internal

sensitive data

► Cloud homogeneity makes security

auditing/testing simpler

► Clouds enable automated security

management

► Redundancy / Disaster Recovery

Effectively and Securely Using the Cloud Computing Paradigm Peter Mell & Tim Grance; NIST, Information Technology Laboratory 10-7-2009

Cloud Security Challenges

► Trusting the vendor’s security model

► Customer inability to respond to audit

findings

► Obtaining support for investigations

► Indirect administrator accountability

► Proprietary implementations that can’t

be examined

► Loss of physical controlEffectively and Securely Using the Cloud Computing Paradigm Peter Mell & Tim Grance; NIST, Information Technology Laboratory 10-7-2009

Cloud Security Standards (!)

►National Institute for Standards and

Technology

NIST Special Publication 800-144

Guidelines on Security and Privacy in

Public Cloud Computing (Draft)

►Cloud Security Alliance

Security Guidance for Critical Areas

of Focus in Cloud Computing V2.1

Compliance Security Cloud


Who Does Security Where?


Scope & Control in Cloud Service Models

From NIST Draft Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing by Wayne Jansen and Timothy Grance

SaaS and Security

Provides:

►Most integrated functionality

►Least consumer extensibility

►Relatively high level of integrated

security

■ Provider bears a responsibility for security


PaaS and Security

►Enables developers to build their own

applications on top of the platform

►Tends to be more extensible than SaaS

►Built in security features and

capabilities are less complete

■ But there is more flexibility to layer on

additional security


IaaS and Security

►Provides few if any application-like

features, but enormous extensibility

►Less integrated security capabilities

and functionality beyond protecting

the infrastructure itself

►Requires OS, apps, and content be

managed and secured by the consumer


SaaS Security

►Vendor bears primary responsibility

►Governed/driven by Service Level

Agreements

►Gartner suggests 7 issues to settle

with vendor

■ All should be specified by SLA

Service Level Agreements (SLAs)

► Contract between customers and

service providers of the level of

service to be provided

► Contains performance metrics (e.g.,

uptime, throughput, response time)

► Problem management details

►Documented security capabilities

► Contains penalties for non-performance

SaaS Security

►Privileged user access

►Regulatory compliance

■ Ensure vendor is willing to undergo

external audits and security certifications

►Data location

■ Ask if they’ll commit to storing/processing

data in specific jurisdictions, and if they’ll

obey local privacy requirementsGartner: Seven cloud-computing security risks, 02 July 2008, http://www.infoworld.com/d/security-central/gartnerseven-cloud-computing-security-risks-853?page=0,0

SaaS Security

►Data segregation

■ Ensure encryption is available at all stages

and encryption schemes were designed and

tested by experienced professionals

►Recovery

■ What will happen to your data and service

in a disaster; must replicate data and app

infrastructure across multiple sites

Gartner: Seven cloud-computing security risks, 02 July 2008, http://www.infoworld.com/d/security-central/gartnerseven-cloud-computing-security-risks-853?page=0,0

SaaS Security

► Investigative support

■ Get a contractual commitment to support

specific forms of investigation, along with

evidence that the vendor has already

successfully supported such activities

►Long-term viability

■ In case of vendor bankruptcy or acquisition,

ensure your data will remain available

Gartner: Seven cloud-computing security risks, 02 July 2008, http://www.infoworld.com/d/security-central/gartnerseven-cloud-computing-security-risks-853?page=0,0

SaaS Service Level Agreements

► salesforce.com – the “trust us” model

■ No SLA!

■ AKA “don’t worry be happy”

►Google Apps

■ Standard SLA has NO security clauses

■ Security addressed at security FAQ but

incurs no legal obligation

SaaS Service Level Agreements

►Microsoft SaaS offerings

■ Office 365 – no default SLA

■ Microsoft Exchange Online

■ SharePoint Online

■ Office Communications Online

■ Common SLA

● Virus protection

IaaS Security

►Trusting the Virtual Machine Image

■ If using VM image from IaaS vendor, it

should have the same level of security

verification and hardening for hosts in

the enterprise

■ Best alternative is to provide own image

conforming to same security policies as

internal trusted hosts or use virtual

images from a trusted third party.

IaaS Security

►Hardening Hosts

■ All precautions used to harden hosts in

the DMZ should be applied to VM images

■ Best practice is to build custom OS and

app platform images with only capabilities

necessary to support the application stack

IaaS Security

► Securing Inter-host Communication

■ Design in explicit controls to prevent disclosure

of sensitive information between hosts

►Managing Application Keys

■ IaaS platforms use a “secret key” to identify

a valid account

■ Normal enterprise standards and practices

for handling key material will need some

modification for application keys

IaaS Security

►Additional Requirements for Handling

Sensitive Information

■ Apps on IaaS must ensure sensitive

information does not leak during

processing

■ All precautions for handling sensitive info

for enterprise apps apply to IaaS hosted

applications

IaaS Security

►Treat IaaS VM instances as a “weak

instance” of normal enterprise systems

►Ensure strong OS-level firewall

protections are in place

■ Bi-directional stateful firewall

IaaS Service Level Agreements

►Rackspace

■ Agrees to follow security procedures at

least as stringent, in Rackspace’s

reasonable judgment, as described at

http://www.rackspace.com/information/

legal/securitypractices.php

IaaS Service Level Agreements

►Amazon.com

■ No mention of security in SLA

■ Overview of security in “Amazon

Web Services: Overview of Security

Processes”

● Implicit but no explicit contract

● SAS70 Type II audit procedures in place

■ http://awsmedia.s3.amazonaws.com/pdf/

AWS_Security_Whitepaper.pdf

Negotiate with Public Cloud Vendors

►Vetting of vendor employees

►Data ownership and exit rights

► Isolation of tenant applications

►Data encryption and segregation

►Tracking and reporting service

effectiveness


Negotiate with Public Cloud Vendors

►Compliance with laws and

regulations

►Use of validated products meeting

federal or national standards


Essential Reading…

► https://cloudsecurityalliance.org/csaguide.pdf

► http://csrc.nist.gov/publications/drafts/800-

144/Draft-SP-800-144_cloud-computing.pdf

► http://csrc.nist.gov/publications/drafts/800-

145/Draft-SP-800-145_cloud-definition.pdf

https://cloudsecurityalliance.org/csaguide.pdf

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf




Ray Trygstad

► [email protected]

►630.447.9009

►http://trygstad.rice.iit.edu/

mailto:[email protected]

mailto:[email protected]

The End

►Questions?

Documents

Security & Trust in the Cloud - IIT School of Applied Technology